CyberCNS - Troubleshooting FAQs

 

Assessment

CyberCNS Assessment Video

CyberCNS Assessment Demonstration

To run the Assessment agent in debug mode

For Windows:

  • Open Command Prompt as an administrator on the system where the assessment agent is running.

  • Navigate to the location wherein the assessment agent is extracted.

  • Run the below command.

>>cybercnsagent.exe —enableAssessment

For Mac

  • Open the terminal as a privileged user on the system where the assessment agent is running.

  • Navigate to the location wherein the assessment agent is extracted.

  • Run the below command.

>>cybercnsagent_darwin —enableAssessment

For Linux

  • Open the terminal as a privileged user on the system where the assessment agent is running.

  • Navigate to the location wherein the assessment agent is extracted.

  • Run the below command.

>>cybercnsagent_linux —enableAssessment

For ARM

  • Open the terminal as a privileged user on the system where the assessment agent is running.

  • Navigate to the location wherein the assessment agent is extracted.

  • Run the below command.

>>cybercnsagent_arm —enableAssessment

Please initiate an assessment scan by browsing https://localhost:8088 in the browser.

Once the scan is initiated, the logs are seen in the command prompt or the terminal window.

Scans


To check the log-in verbose by running the agent in debug mode

This will help you find where the scan is failing or the agent not reporting back to the CyberCNS portal issues.

CyberCNS Agent (Probe and Lightweight), logs can be located into:

  • For Windows - C:\ProgramFiles<x86>\CyberCNSAgentV2\logs\cybercns.log

  • For Mac: /opt/CyberCNSAgentV2/logs/cybercns.log

  • For Linux: /opt/CyberCNSAgentV2/logs/cybercns.log

  • For ARM Agent: /opt/CyberCNSAgentV2/logs/cybercns.log

To Run Debug mode command for Windows:

-run command prompt as as admin

-Navigate to CyberCNS Agent folder

>cd C:\Program Files (x86)\CyberCNSAgentV2

-Stop CyberCNSAgentV2 service

>net stop cybercnsagentv2

> net stop cybercnsagentmonitor

-Run below command to run scan in debug mode

>cybercnsagentv2.exe -m Probe -d

Please initiate a relevant scan once above command is running successfully.

To Run Debug mode command for Linux OR ARM agent:

-->open terminal with privileged user

  1. sudo su

  2. systemctl stop cybercnsagentv2

  3. systemctl stop cybercnsagentmonitor

  4. cd /opt/CyberCNSAgentV2

  5. ./cybercnsagentv2_linux -t Probe -d

For ARM please run below command:

  1. ./cybercnsagentv2_arm -t Probe -d

To Run Debug mode command for Mac:

-->open terminal with privileged user

  1. sudo su

  2. launchctl stop cybercnsagentv2

  3. launchctl stop cybercnsagentmonitor

  4. cd /opt/CyberCNSAgentV2

  5. ./cybercnsagentv2_darwin -t Probe -d

Please initiate a relevant scan once above command has run successfully.

Vulnerability Scans failure with nmap error in the cybercns.log

Vulnerability Scans are failing with nmap error shown in cybercns.log. Error as shown below:

Please check if winpcap or npcap are running in the agent system(wherein CyberCNS agent is installed)

  • If it is installed, please request the customer to remove it. Post uninstalling these (winpcap/npcap) a system may require a reboot. Inform customer about it.

Please follow below steps for removing winpcap or npcap:

Step 1: Stop the agent services

>> net stop cybercnsagentv2

>> net stop cybercnsagentmonitor
Step 2: Uninstall the Npcap and other pcap drivers from the agent machine

>> This can be achived from GUI.
Step 3: Reboot the machine. (Because pcap drivers are run in the kernel, the reboot is required for clean uninstallation)
Step 4: Install the latest Npcap on the machine and initiate a scan to resolve the reported issue.

 

Active Directory Scan information missing issue

Active Directory section missing information post AD Scan

Active Directory information not captured during AD Scan

  • Open Powershell as an admin on Active Directory system and run below command:

>>(Get-WmiObject -Class Win32_OperatingSystem).ProductType
--Output: 2 (as it is a secondary DC) OR

--Output: 1 ( in case it is a primary DC)

  • Open command prompt as an Admin

> cybercnsagent.exe -m Adscan (This will initiate AD scan manually to verify further)

Exclude printer port or IP if Printer is printing garbage/junk pages once the CyberCNS Scan is in process.

Though CyberCNS is taking care of the common printers port exclusion, there are additional models to be taken care. There may be an issue of printing junk while scan is in process.

  1. Please collect information such as Printer model and port number used for the printer.

  2. Verify if the printer is printing junk or not by using below command:

    a. Navigate to cybercns agent folder on the agent system using.

  3. b. cd C:\Program Files (x86)\CyberCNSAgentV2\nmap
    nmap.exe  -sV -p80 -Pn --script vulners.nse <ip address>

  4. Guide customer to exclude the IP address OR ports temporarily to avoid printer printing junk as below:

a. In the CyberCNS portal, navigate to Probe/Agent>Discovery Settings>IP Ranges

b. Define an IP Address/IP range and select Exclude from Scanning.

Printer is printing junk pages though it has been successfully excluded from scanning

It is shared from print server services on their Domain Controller.

  1. As pointed out, there is a possibility that the SMB printing server is available in the environment and the port 139 is the one being used for SMB printing via SMB printing servers. in this case please discard port 139 from your global port discarded settings. Ideally, this discarded port should solve your printer issue.

  2. We have removed SMB for a printer for scanning that basically removes SMB printers scanning. We have taken all the known vendors and we have removed them from the scanning list.

c. Navigate to Settings>Port Policy Settings and input port number to exclude from scanning.

Agent discovery Scan result shows a response for every IP in the subnet added for scanning

Please run below command on the agent (Probe Agent) system using Command Prompt as an admin and share an output with support.

>>nmap -oX - -T4 -Pn -sT --top-ports 65535 --reason <IP Address>

--IP address in the above command will be a CIDR range to be scanned.

Scan failures


Case 1: Dial tcp <ipaddress>:445 failure 

For this issue run the below command on the reported host and initiate a scan. These commands will help set SMB as True and help successfully scan an asset.

-> Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 1 -Force

-> Set-NetFirewallRule -DisplayName "File And Printer Sharing (SMB-In)" -Enabled true -Profile Any

-> Set-NetFirewallRule -DisplayName "File And Printer Sharing (NB-Session-In)" -Enabled true -Profile Any

Case 2: No credential matched

  1. For Active Directory Credentials, ensure that the Domain is added as the fully qualified domain name(FQDN) has been added, Active Directory DC Name to have the IP address( In case of DNS resolution failure, Asset Name will not work). Please refer to the screenshot below

  1. For the Asset Inventory scan credential match issue, please follow the steps below to verify.

This tool will verify the SMB communication between probe agent and the remote asset. If this tool succeeds the communication from the agent machine then the probe agent will scan the remote asset for the vulnerabilities successfully, giving the Risk Score for that asset.

  • ​Download this file and copy it to the CyberCNS installation folder under C:\ProgramFiles<X86>\CyberCNSAgentV2

Please use the below link to download a file for SMB validation and copy this file from Windows to Windows. https://betadev.mycybercns.com/agents/validateSMB.exe
Please use the below link for for SMB validation and to copy this file from Linux to Windows machine. https://betadev.mycybercns.com/agents/validateSMB_linux

  • Navigate to the location of the file and run the below command under Powershell as an admin

>>./validateSMB.exe -hostname <IPAddress> -username <Username> -password <Password> -domain <domainname>

Note: Please add the password in double quotes.

Eg: >>./validateSMB.exe -hostname 10.10.10.22 -username cybercns -password “asdfghj” -domain cybercns.

To enable SMB, use the below commands

--> Open powershell as administrator.
Run the below commands
--> Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 1 -Force
--> Set-NetFirewallRule -DisplayName "File And Printer Sharing (SMB-In)" -Enabled true -Profile Any
--> Set-NetFirewallRule -DisplayName "File And Printer Sharing (NB-Session-In)" -Enabled true -Profile Any

Once SMB is enabled successfully, please scan one asset that failed due to SMB using probe agent and validate the scan result.

Case 3: OS type not detected

If there are no open ports detected by the nmap port scan from the CyberCNS agent; it will only obtain a nmap ping, which is the reason why it shows OS type not detected. Based on the open ports found, the detection of the OS type is done. since it did not return any value the error “OS Type Not detected” will be shown. To confirm, run the below commands from the agent machine.

  • Open the command prompt as an administrator

  • Navigate to cybercnsagentv2 folder

-> cd C:\Program Files (x86)\CyberCNSAgentV2\nmap

  • Run the nmap command

>>nmap.exe -sT --top-ports 3300 <IP Address>

If the output of this command returns as no ports open, then the error given above is correct.

If the output of this command returns ports, means that ports are found open. In this case please provide a screenshot to Support to look into further.

PII Scan for Mac scan status update:

Please enable cybercnsagentv2_darwin under Full disk Access to complete the PII Scan for Mac to get the scan status update. (cybercnsagentv2_darwin will be available under agent installation folder - /opt/CyberCNSAgentV2/ )

 

Agent related issues

AV/EDR Alert when scan is in process

AV/EDR alerting while CyberCNS Scan in process

  • For remote assets getting scanned via Probe Agent please whitelist the below executable path of the dissolvable agent into a remote asset "C:\windows\CyberCNS_DissolvableAgent".

  • Or creating an IOA Exclusion so that matches all the different disks and executables.

Primary executables in the CyberCNSAgentV2 to Whitelist

Below are the primary executables in the CyberCNSAgentV2 (installation folder) to be whitelisted on the CyberCNS agent system.

​cybercnsagent.exe
cyberutils.exe
nmap.exe
osqueryi.exe
cybercnsagentmonitor.exe

For remote assets getting scanned via Probe Agent:

  • Whitelist the below executable path of the dissolvable agent into a remote asset "C:\windows\CyberCNS_DissolvableAgent"

  • To whitelist the folder on the remote asset, use the path of the folder i.e “C:\Windows\CyberCNSAgent”

To uninstall cybercnsagentv2 from command prompt

For Windows:

-run command prompt as as admin

-Navigate to CyberCNS Agent folder

>cd C:\Program Files (x86)\CyberCNSAgentV2

-Stop CyberCNSAgentV2 service

>net stop cybercnsagentv2

-remove/uninstall CyberCNSAgentV2

>cybercnsagentv2.exe -r

For Linux

For Mac

For ARM

To uninstall cybercnsagentv2 from Windows GUI

For Windows:

  • Stop CyberCNSAgentV2 service

  • Navigate to cybercnsgentv2 folder

    >cd C:\Program Files (x86)\CyberCNSAgentV2

  • click on uninstall.bat file and follow instructions on screen

Upgrade/update the agent manually

For Windows:

Please use the below commands to upgrade/update the agent manually:

-Open command prompt as an admin

-Navigate to CyberCNSAgent V2 folder (C:\ProgramFilesX86\CyberCNSAgentV2)

>net stop CyberCNSAgentV2 ( stop CyberCNSAgentV2 service)

>cybercnsagentv2.exe -u  (to update agent)

>cybercnsagentv2.exe -v (to check the version of the agent)

> net start CyberCNSAgentV2 ( start CyberCNSAgentV2 service)

For Linux

For Mac

For ARM

For Mac to verify whether the binary is running using privileged user

MAC internal firewall is blocking the binary from running in case Mac agent is not registering

please run the below command in the terminal window as admin user to verify whether the binary is running:

>> sudo su

>>​ps -ef  | grep cybercnsagentv2_darwin

Steps to start and stop the agent in MAC.

Below are the steps to start and stop the agent in MAC.

​To Stop CyberCNSAgent
sudo launchctl unload -w /Library/LaunchDaemons/com.CyberCNSAgentV2.AgentService.plist

To Start CyberCNSAgent
sudo launchctl load -w /Library/LaunchDaemons/com.CyberCNSAgentV2.AgentService.plist

To validate why the agent is not starting: MAC

For MAC: Please run the below command to validate why the agent is not starting and share the output with support

>>sudo su

>>cd /opt/CyberCNSAgentV2

>>./cybercnsagentv2_darwin -t Lightweight ( Agent in Debug Mode)

CyberCNS Agent is not reporting back to the portal

CyberCNS Agent is not reporting back to a portal ( Issue from 30-09-2021 patch, Fix released on 01-10-2021)

a. Uninstall an agent and reinstall again as the fix is released for builds not updated to 1-10-2021 OR

b. Please run the below commands on the Linux agent system and verify.

cd /opt/CyberCNSAgentV2
rm AssetScannedTime.txt
systemctl restart cybercnsagentv2

To check the type of agent installed for RMM use

For RMM use, the customer wants to know the type of agent installed.

​Please use the below command to verify whether ​the CyberCNS agent running as a Probe or LightWeight Agent

WMIC path win32_process where caption="cybercnsagentv2.exe" get Caption,Processid,Commandline

​Results will be as below for LightWeight and Probe

​For LightWeight Agent

Caption              CommandLine                                                                  ProcessId

cybercnsagentv2.exe  "C:\Program Files (x86)\CyberCNSAgentV2\cybercnsagentv2.exe" -t LightWeight 1392

For Probe Agent

Caption              CommandLine                                                                  ProcessId
cybercnsagentv2.exe  "C:\Program Files (x86)\CyberCNSAgentV2\cybercnsagentv2.exe" -t Probe  1876

Few NMAP commands help to get certain information with reasons

NMAP commands help to get certain information with reasons

  • External Deep Scan information verification

>>nmap -oX - -T4 -Pn -sT --top-ports 65535 -sV --script ssl-cert,ssl-enum-ciphers,ssl-dh-params,ssl-heartbleed --script-timeout 120s --osscan-limit --max-rtt-timeout 100ms --max-parallelism 100 --min-hostgroup 100 --host-timeout 20m --reason <IP Address>

  • Asset discovery information

>>nmap.exe -sn 192.168.x.x/24 --reason

  • Asset ports status information

>>nmap -oX - -T4 -Pn -sT --top-ports 65535 --reason <IP Address>

  • External Scan for top 1000 ports:

>>nmap -sT --top-ports 1000 <IP Address>

  • In case the top 1000 ports are not available, checking whether IP is pinging or not
    if any of the above is successful, scanning other 65535 ports except the top 1000 using the internal port scanner

>>nmap -sP <IP Address>

  • Based on ports we will use NSE Scripts

>>nmap -sV -p <Ports> --script <NSE Scripts for the given ports> <IP Address>

Windows 7 : CyberCNS Agent installation failure issue while using direct Powershell script from CyberCNS.

Windows 7 64 bit system facing CyberCNS Agent installation failure issue while using direct Powershell script from CyberCNS.

For windows 7, power shell script to directly download CyberCNS agent has challenges. So please manually download the agent into the system and just run installation part of the command using powershell as an admin.

 ./cybercnsagent.exe -c 063fc29f-5ed8-428d-9f17-f28fb89ea545 -a 063fc29f-5ed8-428d-9f17-f28fb89ea545 -s 9beeb131-3241-4d50-bdb3-67ac43a80028 -b learnv2.mycybercns.com -i LightWeight

Note: Above command is for reference only. Please use command from your CyberCNS portal.

CyberCNS Agent 2.0.28- AD lockout issue

CyberCNS Agent 2.0.28- AD lockout issue addressed

This was resolved with an agent 2.0.28. We have stopped the invalid logins and we have implemented a scheme to not retry usernames and passwords that have been tried on any of the assets. So if a credential fails it is not tried till the credential has been modified. This will remove any issues with account lockouts.

Comparison for Probe/lightweight agents for Mac vs windows can and cannot be scanned

A comparison to see what can and can’t be scanned with the probe/lightweight agents for Mac vs Windows

  1. Using a probe agent you can query endpoints, servers, and network devices(SNMP Enabled).

  2. Using the LightWeight agent, you can scan endpoints or servers where the agent is installed.

  3. Operating Systems supported scans are Windows, Mac, and Linux.

  4. For Mac and Linux, the minimum supported Nmap version is greater than 7.92 in order to obtain all of the information.

  5. The lightweight agent does not scan for network vulnerabilities. It will search for information about the system on which it is installed. (This is useful in work-from-home scenarios where the user is not on the corporate/office network).

CyberCNS Agent installation error: The system can not find the path specified.

CyberCNS Agent while installation gives below error: “The system can not find the path specified.”

CyberCNS Agent to be installed with Powershell as an administrator OR Command Prompt as an administrator.

New Agent installation using RMM

New Agent installation using RMM will need a download URL as the manual installation Powershell script in CyberCNS portal expires in 15 mins.

Here is a GET Url to generate the download link that you can use to download the agent

https://configuration.mycybercns.com/api/v3/configuration/agentlink?ostype=windows

​>>supported ostype keys

  1. For Windows -> windows

  2. For Linux -> linux

  3. For MAC -> darwin

  4. For ARM / Raspberry Pi.  -> arm

​The response will be a download url. This way it is not hard coded but it can be used in automation.

SMB enabled but Scan failing

Though SMB is enabled in Windows 11, the scans are failing:

Follow the below steps for enabling SMB for Windows:

https://docs.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3

Additionally, add below registry key post enabling SMB for Windows 11 to get information using SMB:

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

Vulnerability scan time-out error: Exception calling RStartServiceW. Code: 5, Msg: ERROR_ACCESS_DENIED

Vulnerability Scans timed out with an error: "Exception calling RStartServiceW. Code: 5, Msg: ERROR_ACCESS_DENIED"

The above error means that in the remote machine, the probe agent is not able to create dissolvable services. We have to verify if any EDR blocking or mentioned user has required permissions to create a service.

CyberCNS log file error: Error in installing VC_redist.x86.exe out:  err:-

CyberCNS log file shows error as Log [Error in installing VC_redist.x86.exe out:  err:- ]

This file is required to run the nmap scan, hope there is a block in installing the exe. Could you please install the "VC_redist.x86.exe" manually from the cybercns agent folder and verify by initiating the scan once.

the file is located in "C:\Program Files (x86)\CyberCNSAgentV2\nmap".

Self-hosted deployment

For CyberCNS Updates

CyberCNS V2 SSL certificate path for the customer to update.

CyberCNS V2 SSL certificate path for the customer to update on his own.

Location of File>> /etc/nginx/conf.d/vuln.conf
ssl_certificate /etc/letsencrypt/live/vuln.dbtsupport.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/vuln.dbtsupport.com/privkey.pem;

CyberCNS Password requirement

Error On Premise Installation: Minion is unable to communicate with salt

Minion is unable to successfully communicate with Salt ----error for on-premise installations:

-Make sure to confirm with tech team on the minion registration before the below commands on the on-premise instance.

rm /etc/salt/pki/minion/*

systemctl restart salt-minion

Not getting new updates released for CyberCNS.

This will happen as a result of the salt-minion service is not connecting to update the instance.

to check the salt-minion status please run below command

systemctl status salt-minion

Please run the below command to restart salt-minion service

systemctl restart salt-minion

Update SSL certificate for on premise ( Self Hosted) CyberCNS Instance

How to update certificate for on premise ( Self Hosted) CyberCNS Instance

The customer can find the configuration file below location:

 /etc/nginx/conf.d/<domainname>.conf

Customer can keep their own certificates here.

Azure AD integration-related issues

Azure CSP account re-authentication

Azure CSP account authentication error- Use the below to re-authenticate the CSP account.

Please follow the below steps to re-authenticate the CSP account,

  • In the Azure portal go to an enterprise app, and search CyberCNS application and click on that.

     

  • Click the Properties on the left menu, then click Delete the CyberCNS application using the delete link on the right-hand side top menu.

  • In the CyberCNS Portal, Please delete your AzureAD credentials and re-authenticate once again.

  • If CSP account, you need to provide admin consent for all the tenants. Please refer to the below screenshot.

  • Then you can add the company mapping.

  • Please note while doing this CSP authentication and authorization kindly use the incognito browser window. 

Azure AD errors out with user consent missing

Please follow the below steps to configure user consent settings through the Azure portal:

  • Login to Microsoft partner center -> go to the Customer List -> Select the customer whose data is not loading in CyberCNS.

  • Click on Azure Active Directory for the particular customer which will redirect to the Microsoft Azure portal.

  • Select Azure Active DirectoryEnterprise applicationsConsent and permissionsUser consent settings.

  • Under User consent for applications, select which consent setting you want to configure for all users(Below is the snapshot attached for your reference).

  • Select Save to save your settings. 

Please wait for 10 to 15 minutes after the consent and sometimes it may take more than 2 hours. Microsoft takes time to approve the application. After the approval the data will be populated in the CyberCNS portal.

Patching related issues

Match the CyberCNS data under Asset Details->Installed Patches section.

Use below command on windows system for which Installed KB to be verified, to get the installed KB details. This will help you match the CyberCNS data under Asset Details>Installed Patches section.

command:  wmic qfe get HotfixID

Chocolatey community repo via RMM

Partner uses chocolatey community repo via RMM, and it looks like maybe after trying to update some programs with Chocolatey through cybercns, it changed the local computer version to try to use a cybercns repo. Is there a way we should switch this back in our script in our RMM so we don’t get these auth errors? Below is what we’re seeing:

Error: Invalid credentials specified. Error retrieving packages from source 'https://chocolateyrepo.mycybercns.com/chocolatey':

The remote server returned an error: (401) Unauthorized.

ANS: Before upgrading the chocolatey please run the below command in powershell as an administrator and try to upgrade.

>>choco source remove -n=cybercns

LOG file location: ​Chocolatey logs can be located in ​"C:\Program Files (x86)\CyberCNSAgentV2\CyberPatch\logs."

  • If you have installed Chocolatey manually, please find the log in "C:\ProgramData\Chocolatey\logs."

Patching: When FIPS Mode is enabled(Chocolatey FIPS Error)

Patching: When FIPS Mode is enabled, Chocolatey requires useFipsCompliantChecksums feature also be enabled. (Chocolatey FIPS Error)

The patching is failing with error as above which means, FIPS compliance is enabled in the Lightweight agent machine. Log into the machine where the patching is failing due to FIPS compliance and run the below command in PowerShell.

Command: choco feature enable --name="'useFipsCompliantChecksums'"

Once successfully ran this command, please initiate patching.

CyberCNS API issues

CyberCNS API uses which type of authentication

CyberCNS API Documentation
CyberCNS have both Oauth2 and API token. In case postman collection can help, we can share it on your confirmation.

Remediation related issue

Log4j

Thank you for using CyberCNS. As we informed instances were patched immediately.

Now to enable remediation we have now added detection of the log4j vulnerability. Again the focus is on making everything actionable.

The new plugin scans machines to find all Java processes and searches classpath to find if a version of log4j is vulnerable. If yes, it checks if mitigation has been applied. If not it marksthe asset as vulnerable and this has been made available in the first dashboard

OSQUERY to pull and verify related data:

  1. On the agent system, Please open Command Prompt as an administrator

  2. Navigate to CyberCNS Agent folder

Step 1: cd C:\Program Files (x86)\CyberCNSAgentV2
Step 2: osqueryi.exe

  1. Run the desired or requested query and please share the screenshot of the output.

Eg. Step 3: SELECT vendor, version, date, revision, extra, address, size, volume_size,firmware_type FROM platform_info;

Vulnerabilities related issues

JNDI lookup status is tested in relation to CVE-2021-44228

Can I get some details on how the JNDI lookup status is tested in relation to CVE-2021-44228? Are you actually attempting the exploit using the JNDI:LDAP or DNS string and waiting to see if there’s a reply or is the scanner checking a config file for the JNDI status? Also, are the external scanners also trying the exploit to see if public facing hosts are vulnerable?

 

CyberCNS scanner will check if any process using the java log4j jar and also will check all the parameters configured for marking its as vulnerable or not vulnerable for CVE-2021-44228.

We are fetching Log4J Vulnerabilities based on the java process running in the system and validating whether that process is using the Log4J Component or not. In case if it is using Log4j components we have verified what all global environmental variables set and what all JVM options provided for that process. After considering all this if any process matches the vulnerability criteria we are showing it as vulnerable.

Once authenticated vulnerability scan is completed successfully you can able to see the results in dashboards.

NOTE:

--In CyberCNS, we are Identifying log4j as vulnerable anything below/less than the version 2.17.0

Whereas the Ubiquiti software updated its log4j and is still version 2.16.0. So still, this is vulnerable and is popped in your dashboard.

 Why do we refer to version 2.16.0 as vulnerable?

Please refer to the below link for

https://snyk.io/blog/log4j-2-16-vulnerability-cve-2021-45105-discovered/

--The external scan will scan for log4j against open port and if that port is found vulnerable for log4j, it will trigger a mail on the configured email ID.( Yes, only an External scan will trigger an email notification in case log4j vulnerability is found)
​In case if you are not receiving any mail it means that there is no log4j vulnerability that is not triggering for the payload that is being used. To verify that CyberCNS is working you can download the following application and run it on any machine.

https://github.com/christophetd/log4shell-vulnerable-app
Once installed you can trigger an external scan or you can do a probe/LW-based scan and you should see the dashboard and the mail from Canary Tokens. 

There are three modes of Log4j detection. The one on the dashboard is a deep scan to find Log4j instances in any of the machines. However, in the case of VMware, there is no access to the vcenter filesystem to find if the system is vulnerable.

​So we have done a version-based detection of the Log4j vulnerability and that shows in the internal report of Vulnerabilities.

Active Directory Audit

Active Directory Audit- How to use this feature?

A domain controller should have a lightweight agent or the probe agent to get this information from the event viewer of domain controller.

Assets Information mismatch

Bitlocker Encryption Status showing 'Unknown' in UI.

'Unknown' implies to 'PROTECTION UNKNOWN', please refer below link.

Win32_EncryptableVolume class - Win32 apps

CyberCNS Platform Password Cryptography related queries

  1. How does CyberCNS store credentials within the platform?

    1. Master and Asset Credentials of users are stored as a Oneway hash using PBKDF2 algorithm with salts and 27,500 hash iterations.

  2. What is the Key Type Used (One-way Hash, Symmetric encryption etc)

    1. Symmetric encryption with dynamic keys per company+partner combination

  3. Algorithm Used (Bcrpy, PBKDF2, scrypt, Argon2 etc)

    1. Algorithm is fernet with SHA 256

  4. Key Length (Please include if the credentials are stored with a salt and pepper)

    1. Credentials are stored with a salt but no pepper

​Alerts/Notification rules

  • AD audit scans / Alerts not running

  • To perform an AD audit on a domain controller, it is important to first enable audit events.

  • Once enabled, The CyberCNS agent will read the events every 15 minutes and push them to your CyberCNS domain.

  • To verify which audit events are currently enabled, run the following command:

    >> auditpol /get /category:*

    • This command will provide a list of all the audit categories and their status.

  • To Enable the audit events use the command given below
    Create a “ .bat ” file and add below lines based on user audit requirements or user can run individual commands to enable audit events. (Ex: AUDITPOL /SET /SUBCATEGORY:"Security State Change" /SUCCESS:ENABLE )

    @echo OFF

    Rem Enable Security System Extension

    echo Enabling "Security System Extension"

    AUDITPOL /SET /SUBCATEGORY:"Security System Extension" /SUCCESS:ENABLE 

    echo Enabling "Security State Change"

    AUDITPOL /SET /SUBCATEGORY:"Security State Change" /SUCCESS:ENABLE 

    AUDITPOL /SET /SUBCATEGORY:"Logon" /SUCCESS:ENABLE /FAILURE:ENABLE

    AUDITPOL /SET /SUBCATEGORY:"Logoff" /SUCCESS:ENABLE

    AUDITPOL /SET /SUBCATEGORY:"Logoff" /SUCCESS:ENABLE 

    AUDITPOL /SET /SUBCATEGORY:"Other Logon/Logoff Events" /SUCCESS:ENABLE

    AUDITPOL /SET /SUBCATEGORY:"Network Policy Server" /SUCCESS:ENABLE /FAILURE:ENABLE

    AUDITPOL /SET /SUBCATEGORY:"Application Generated" /SUCCESS:ENABLE /FAILURE:ENABLE

    AUDITPOL /SET /SUBCATEGORY:"Other Object Access Events" /SUCCESS:ENABLE 

    AUDITPOL /SET /SUBCATEGORY:"Process Creation" /SUCCESS:ENABLE 

    AUDITPOL /SET /SUBCATEGORY:"Process Termination" /SUCCESS:ENABLE 

    AUDITPOL /SET /SUBCATEGORY:"Authentication Policy Change" /SUCCESS:ENABLE 

    AUDITPOL /SET /SUBCATEGORY:"Authorization Policy Change" /SUCCESS:ENABLE 

    AUDITPOL /SET /SUBCATEGORY:"User Account Management" /SUCCESS:ENABLE /FAILURE:ENABLE

    AUDITPOL /SET /SUBCATEGORY:"Computer Account Management" /SUCCESS:ENABLE 

    AUDITPOL /SET /SUBCATEGORY:"Security Group Management" /SUCCESS:ENABLE 

    AUDITPOL /SET /SUBCATEGORY:"Distribution Group Management" /SUCCESS:ENABLE 

    AUDITPOL /SET /SUBCATEGORY:"Directory Service Changes" /SUCCESS:ENABLE 

    AUDITPOL /SET /SUBCATEGORY:"Directory Service Access" /SUCCESS:ENABLE 

    AUDITPOL /SET /SUBCATEGORY:"Other Account Logon Events" /SUCCESS:ENABLE /FAILURE:ENABLE

    AUDITPOL /SET /SUBCATEGORY:"Kerberos Authentication Service" /SUCCESS:ENABLE /FAILURE:ENABLE

Recommended browser for interface

The interface seems sluggish. Is there a recommended browser for the best results?

Ans: Google Chrome is the best browser for the best results.

 

Using paexec to Execute Applications Without Installation

The pypsexec library is a Python implementation of the psexec tool, which allows for remote execution of commands on Windows systems. It utilizes the paexec binary package for executing processes remotely.

The general workflow described is indeed a common approach used by tools like psexec and pypsexec for remote service execution. Here's a summary of the steps involved:

  • Establish an SMB connection to the remote host.

  • Copy the paexec binary to the ADMIN$ share of the remote host. The ADMIN$ share is a built-in administrative share that provides administrative access to the root of each drive on a Windows machine.

  • Create a service on the remote host using the paexec binary. This service is responsible for executing the desired process or command.

  • Start the service to initiate the execution of the remote process.

  • After the agent execution process completes, stop and remove the paexec service from the remote host.

  • Remove the paexec binary from the ADMIN$ share of the remote host.

The agent will remove the paexec after the scan.

Dashboards FAQs

Q: Why are Peaks and Troughs in historical trending graphs seen? How do we verify it?

Ans: Because there might be no data within the time selected (3 hours) to be seen in the trending graphs.

Graph is generated in the dashboard tool from data generated from the scan.

It could be due to 3 reasons:

  • If the scan scheduler is set to run every 24 hours, viewing graphs for intervals of 3 hours or 12 hours may result in no data being available. If there are scans and you have taken a graph for 24 hours (or 1 day), then it shows an unbroken continuous line graph.

  • The periodic scan scheduler might have been removed, leading to the absence of scans and, consequently, no data available to display in the graph.

  • Assets might be offline. So scans might not be detected.

To see a proper graph in a continuous way, kindly select a period of the last 90 days or the last 1 year in the dashboards as shown below:

As shown in the graphs from one of our portals, there is a clear unbroken line of data for both the last 90 days and the last 1 year.

For past 90 days:

For past 1 year:

  • The time period of the dashboards can be adjusted by clicking on the Time Frame Calendar icon and selecting your desired timeframe period.

 

Powershell 2.0 status check

We are detecting PowerShell 2.0 enable or disable by running the below shared commands.Can you please verify the PowerShell 2.0 status on one of the reported server machines by running the following PowerShell command:
Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2 | foreach { $_.State}

To disable it, please run the following PowerShell command with Administrator privileges:
Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2